With Christmas just around the corner, consumer watchdog Which? has asked retailers to stop selling some popular internet-connected toys which have “proven” security issues that could allow attackers to take control of the toy or send messages.

Toys At Risk

Consumer watchdog Which? has identified toys such as Connect, the i-Que robot, Cloudpets and Toy-fi Teddy as having a security vulnerability because no authentication is required, and they could be linked with via Bluetooth.

Children At Risk

The main worry is that children and the privacy / security of all members of a household could be put at risk because manufacturers have cut costs, been careless, or rushed their products to market without building-in adequate protection against taking over / hacking and reverse engineering e.g. to conduct surveillance.

Toy Makers Say

In the light of the Which? research, Hasbro, the manufacturer of Furby Connect has pointed out that it would take a large amount of reverse-engineering of their product, plus the need to create new firmware for attackers to have a chance to take control of it.

Vivid Imagination, which makes I-Que is reported as saying that although it would review Which?’s recommendations, it is not aware of any reports of these products being used in a malicious way.

Old Fears

The idea that a toy could pose a security risk in this way dates back to 1998, when a small robot ‘Furby’ was banned by the US National Security Agency.

Also in the US, back in July this year, the FBI issued an urgent announcement describing the vulnerability of internet-connected toys to such risks, explaining steps to take to minimise the threat. The main concern appeared to be that young children could tell their toys private information, thinking they’re speaking in confidence. This information could be intercepted via the toy, thereby putting the child and family at risk.

Other Types of ‘Toy’

There was also news this week that Hong Kong-based firm Lovense had to issue a fix to the app in its remote (Bluetooth) controlled sex toy (vibrator) after a Reddit user discovered a lengthy recording on their phone which had been made during the toy’s operation.

This prompted more concerns about where the audio files (recorded via a user’s smartphone microphone) are being stored. The company is reported as saying that the audio files are not transmitted from the device, and that problem was caused by “a minor bug” limited to Android devices, and that no information or data was sent to its servers.

Not The First Time

This is not the first time that concerns have been raised about IoT sex toys. Back in March, customers of start-up firm Standard Innovation, manufacturers of IoT ‘We-Vibe’ products, were left red-faced and angry after the company was judged by a court to have been guilty of covertly gathering data about how (and how often) customers used their Wi-Fi enabled sex toy.

What Does This Mean For Your Business?

These reports have re-ignited old concerns about the challenge of managing the security of the many Internet-connected / smart / IoT devices that we now use in our business and home settings.

Where businesses are concerned, back in July 2016 a Vodafone survey showed that three quarters of businesses saw how they use the Internet of Things (IoT) as being a critical factor in their success. Many technology commentators have also noted that the true extent of the risks posed by IoT device vulnerabilities are unknown because the devices are so widely distributed globally, and large organisations have tended not to include them in risk assessments for devices, code, data, and infrastructure.
It has also been noted by many commentators that not only is it difficult for businesses to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.

Businesses, therefore, may wish to conduct an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible.

Security experts also suggest that anyone deploying IoT devices in any environment should require the supply chain to provide evidence of adherence to a well-written set of procurement guidelines that relate to some kind of specific and measurable criteria.

Microsoft has also compiled a checklist of IoT security best practice. This highlights the different areas of security that need to be addressed by the organisations involved throughout the lifecycle of an IoT system e.g. manufacturing and integration, software development, deployment, and operations.